cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can you collate a EVENT ID which is occurring against multiple machines

hirogen
Engaged Sweeper III
Just wondering if you can create a report on machines which have the same event id error in this case 1126 as I noticed it on a few of our critical machines and would like to check to see if the other machines have the same error, if not powershell will suffice -



Event Id 1126
Source Microsoft-Windows-GroupPolicy
Description Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.
Event Information According to Microsoft :
Cause :
This event is logged when Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user.
Resolution :
Correct time differential
To correct time differential from the client:
1.Verify that the time and time zone information on the computer are correct. A time difference greater than five minutes between the computer and the domain controller may lead to the computer failing to authenticate with the domain.
2.Force the time service on the computer to synchronize time with a domain controller by running w32tm /resync as an administrator.
3.Check the Event Viewer for other events related to time synchronization.
Verify :
Group Policy applies during computer startup and user logon. Afterward, Group Policy applies every 90 to 120 minutes. Events appearing in the event log may not reflect the most current state of Group Policy. Therefore, you should always refresh Group Policy to determine if Group Policy is working correctly.
To refresh Group Policy on a specific computer:
1.Open theStart menu. Click All Programs and then clickAccessories.
2.ClickCommand Prompt.
3.In the command prompt window, typegpupdate and then press ENTER.
4.When the gpupdate command completes, open the Event Viewer.
Reference Links Event ID 1126 from Source Microsoft-Windows-GroupPolicy
1 ACCEPTED SOLUTION

rom
Engaged Sweeper III
This should work - (take the event log 7 days report and modify it) - you can also set an email alert if the report has any data...



Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End As EventType,
tblNtlog.TimeGenerated,
tblNtlogSource.Sourcename,
tblNtlogFile.Logfile,
tblNtlogUser.Loguser,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End = 'Error' And tblNtlog.Eventcode = 1126 And tblNtlog.TimeGenerated > GetDate() - 7 And
tblState.Statename = 'Active'
Order By tblNtlog.TimeGenerated Desc,
tblAssets.Domain,
tblAssets.AssetName

View solution in original post

2 REPLIES 2

hirogen
Engaged Sweeper III
Thankyou!

rom
Engaged Sweeper III
This should work - (take the event log 7 days report and modify it) - you can also set an email alert if the report has any data...



Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
tblAssets.Lastseen,
tblAssets.Lasttried,
tblNtlog.Eventcode,
Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End As EventType,
tblNtlog.TimeGenerated,
tblNtlogSource.Sourcename,
tblNtlogFile.Logfile,
tblNtlogUser.Loguser,
tblNtlogMessage.Message
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblState On tblState.State = tblAssetCustom.State
Inner Join tblNtlog On tblNtlog.AssetID = tblAssets.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogUser On tblNtlogUser.LoguserID = tblNtlog.LoguserID
Inner Join tblNtlogFile On tblNtlogFile.LogfileID = tblNtlog.LogfileID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where Case tblNtlog.Eventtype
When 1 Then 'Error'
When 2 Then 'Warning'
When 3 Then 'Information'
When 4 Then 'Security Audit Success'
When 5 Then 'Security Audit Failure'
End = 'Error' And tblNtlog.Eventcode = 1126 And tblNtlog.TimeGenerated > GetDate() - 7 And
tblState.Statename = 'Active'
Order By tblNtlog.TimeGenerated Desc,
tblAssets.Domain,
tblAssets.AssetName